Cybersecurity Economics – Balancing Operational Security Spending

Stale Ekelund, Zilia Iskoujina

Research output: Contribution to journalArticle

Abstract

The purpose of this paper is to demonstrate how to find the optimal investment level in protecting an organisation’s assets.
This study integrates a case study of an international financial organisation with various methods and theories in security economics and mathematics, such as value-at-risk (VaR), Monte Carlo simulation, exponential and Poisson probability distributions. Thereby it combines theory and empirical findings to establish a new approach to determining optimal security investment levels.
The results indicate that optimal security investment levels can be found through computer simulation with historical incident data to find value at risk (VaR). By combining various scenarios, the convex graph of the risk cost function has been plotted, where the minimum of the graph represents the optimal invest level for an asset.
The results can be used by leading business practitioners to assist them with decision making on investment to the increased protection of an asset.
The originality of this research is in its new way of combining theories with historical data to create methods to measure theoretical and empirical strength of a control (or set of controls) and translating it to loss probabilities and loss sizes.
LanguageEnglish
Pages(In-Press)
JournalInformation Technology & People
Volume(In-Press)
DOIs
Publication statusAccepted/In press - 7 Jan 2019

Fingerprint

assets
Economics
economics
computer simulation
Cost functions
Probability distributions
Values
incident
Decision making
mathematics
scenario
decision making
simulation
Computer simulation
costs
Industry
Monte Carlo simulation

Cite this

Cybersecurity Economics – Balancing Operational Security Spending. / Ekelund, Stale; Iskoujina, Zilia.

In: Information Technology & People, Vol. (In-Press), 07.01.2019, p. (In-Press).

Research output: Contribution to journalArticle

@article{860bd6c33c6b4a2097303d86918e5c49,
title = "Cybersecurity Economics – Balancing Operational Security Spending",
abstract = "The purpose of this paper is to demonstrate how to find the optimal investment level in protecting an organisation’s assets.This study integrates a case study of an international financial organisation with various methods and theories in security economics and mathematics, such as value-at-risk (VaR), Monte Carlo simulation, exponential and Poisson probability distributions. Thereby it combines theory and empirical findings to establish a new approach to determining optimal security investment levels.The results indicate that optimal security investment levels can be found through computer simulation with historical incident data to find value at risk (VaR). By combining various scenarios, the convex graph of the risk cost function has been plotted, where the minimum of the graph represents the optimal invest level for an asset.The results can be used by leading business practitioners to assist them with decision making on investment to the increased protection of an asset.The originality of this research is in its new way of combining theories with historical data to create methods to measure theoretical and empirical strength of a control (or set of controls) and translating it to loss probabilities and loss sizes.",
author = "Stale Ekelund and Zilia Iskoujina",
year = "2019",
month = "1",
day = "7",
doi = "10.1108/ITP-05-2018-0252",
language = "English",
volume = "(In-Press)",
pages = "(In--Press)",
journal = "Information Technology & People",
issn = "0959-3845",
publisher = "Emerald Group Publishing Ltd.",

}

TY - JOUR

T1 - Cybersecurity Economics – Balancing Operational Security Spending

AU - Ekelund, Stale

AU - Iskoujina, Zilia

PY - 2019/1/7

Y1 - 2019/1/7

N2 - The purpose of this paper is to demonstrate how to find the optimal investment level in protecting an organisation’s assets.This study integrates a case study of an international financial organisation with various methods and theories in security economics and mathematics, such as value-at-risk (VaR), Monte Carlo simulation, exponential and Poisson probability distributions. Thereby it combines theory and empirical findings to establish a new approach to determining optimal security investment levels.The results indicate that optimal security investment levels can be found through computer simulation with historical incident data to find value at risk (VaR). By combining various scenarios, the convex graph of the risk cost function has been plotted, where the minimum of the graph represents the optimal invest level for an asset.The results can be used by leading business practitioners to assist them with decision making on investment to the increased protection of an asset.The originality of this research is in its new way of combining theories with historical data to create methods to measure theoretical and empirical strength of a control (or set of controls) and translating it to loss probabilities and loss sizes.

AB - The purpose of this paper is to demonstrate how to find the optimal investment level in protecting an organisation’s assets.This study integrates a case study of an international financial organisation with various methods and theories in security economics and mathematics, such as value-at-risk (VaR), Monte Carlo simulation, exponential and Poisson probability distributions. Thereby it combines theory and empirical findings to establish a new approach to determining optimal security investment levels.The results indicate that optimal security investment levels can be found through computer simulation with historical incident data to find value at risk (VaR). By combining various scenarios, the convex graph of the risk cost function has been plotted, where the minimum of the graph represents the optimal invest level for an asset.The results can be used by leading business practitioners to assist them with decision making on investment to the increased protection of an asset.The originality of this research is in its new way of combining theories with historical data to create methods to measure theoretical and empirical strength of a control (or set of controls) and translating it to loss probabilities and loss sizes.

U2 - 10.1108/ITP-05-2018-0252

DO - 10.1108/ITP-05-2018-0252

M3 - Article

VL - (In-Press)

SP - (In-Press)

JO - Information Technology & People

T2 - Information Technology & People

JF - Information Technology & People

SN - 0959-3845

ER -